7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.478 Medium
EPSS
Percentile
97.5%
Successful exploitation of these vulnerabilities could have a high impact on the confidentiality, integrity, and availability of the vulnerable devices.
Rockwell Automation reports the following products use a version of GoAhead web server vulnerable to both CVE-2019-5096 and CVE-2019-5097:
Rockwell Automation reports the following products use a version of GoAhead web server vulnerable to CVE-2019-5097:
3.2.1 INFINITE LOOP CWE-835
A denial-of-service vulnerability exists in the GoAhead web server. To exploit this vulnerability, a malicious user could send specially crafted HTTP requests and trigger an infinite loop in the process. If exploited, the targeted device could crash.
CVE-2019-5097 has been assigned to this vulnerability. A CVSS v3 base score of 7.5 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H).
3.2.2 USE AFTER FREE CWE-416
A critical vulnerability exists in how the web server processes requests. If exploited, a malicious user could leverage this vulnerability to execute arbitrary code by sending specially crafted HTTP requests to the targeted device.
CVE-2019-5096 has been assigned to this vulnerability. A CVSS v3 base score of 9.8 has been calculated; the CVSS vector string is (AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H).
Rockwell Automation reported to CISA that the devices listed may use a version of GoAhead web server with publicly known vulnerabilities.
Rockwell Automation recommends users apply the latest version of firmware when possible:
If updating firmware is not possible or updated firmware is unavailable, Rockwell Automation recommends the following compensating controls to minimize vulnerability risk:
See the Rockwell Automation Knowledgebase article, Security Best Practices, for more recommendations to maintain security posture of an environment
Users should see the Rockwell Automation security advisory for more information.
CISA recommends users take defensive measures to minimize the risk of exploitation of these vulnerabilities. Specifically, users should:
CISA reminds organizations to perform proper impact analysis and risk assessment prior to deploying defensive measures.
CISA also provides a section for control systems security recommended practices on the ICS webpage at cisa.gov/ics. Several CISA products detailing cyber defense best practices are available for reading and download, including Improving Industrial Control Systems Cybersecurity with Defense-in-Depth Strategies.
Additional mitigation guidance and recommended practices are publicly available on the ICS webpage at cisa.gov/ics in the technical information paper, ICS-TIP-12-146-01B–Targeted Cyber Intrusion Detection and Mitigation Strategies.
Organizations observing suspected malicious activity should follow established internal procedures and report findings to CISA for tracking and correlation against other incidents.
No known public exploits specifically target these vulnerabilities. These vulnerabilities are exploitable remotely. These vulnerabilities have a low attack complexity.
cisa.gov/ics
cisa.gov/ics
cwe.mitre.org/data/definitions/416.html
cwe.mitre.org/data/definitions/835.html
public.govdelivery.com/accounts/USDHSCISA/subscriber/new?topic_id=USDHSCISA_138
twitter.com/CISAgov
twitter.com/intent/tweet?text=Rockwell%20Automation%20products%20using%20GoAhead%20Web%20Server+https://www.cisa.gov/news-events/ics-advisories/icsa-23-026-06
us-cert.cisa.gov/ics/Recommended-Practices
us-cert.cisa.gov/sites/default/files/recommended_practices/NCCIC_ICS-CERT_Defense_in_Depth_2016_S508C.pdf
www.cisa.gov/uscert/ics/alerts/ICS-ALERT-10-301-01
www.cisa.gov/uscert/ics/tips/ICS-TIP-12-146-01B
www.cve.org/CVERecord?id=CVE-2019-5096
www.cve.org/CVERecord?id=CVE-2019-5096
www.cve.org/CVERecord?id=CVE-2019-5097
www.cve.org/CVERecord?id=CVE-2019-5097
www.cve.org/CVERecord?id=CVE-2019-5097
www.dhs.gov
www.dhs.gov/foia
www.dhs.gov/performance-financial-reports
www.facebook.com/CISA
www.facebook.com/sharer/sharer.php?u=https://www.cisa.gov/news-events/ics-advisories/icsa-23-026-06&title=Rockwell%20Automation%20products%20using%20GoAhead%20Web%20Server
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
www.first.org/cvss/calculator/3.0#CVSS:3.0/AV:N/AC:L/PR:N/UI:N/S:U/C:N/I:N/A:H
www.instagram.com/cisagov
www.linkedin.com/company/cybersecurity-and-infrastructure-security-agency
www.linkedin.com/sharing/share-offsite/?url=https://www.cisa.gov/news-events/ics-advisories/icsa-23-026-06
www.oig.dhs.gov/
www.rockwellautomation.com/en-us/support/documentation/literature-library.html
www.surveymonkey.com/r/CISA-cyber-survey?product=https://www.cisa.gov/news-events/ics-advisories/icsa-23-026-06
www.usa.gov/
www.whitehouse.gov/
www.youtube.com/@cisagov
mailto:?subject=Rockwell%20Automation%20products%20using%20GoAhead%20Web%20Server&body=www.cisa.gov/news-events/ics-advisories/icsa-23-026-06
7.5 High
CVSS2
Attack Vector
NETWORK
Attack Complexity
LOW
Authentication
NONE
Confidentiality Impact
PARTIAL
Integrity Impact
PARTIAL
Availability Impact
PARTIAL
AV:N/AC:L/Au:N/C:P/I:P/A:P
9.8 High
CVSS3
Attack Vector
NETWORK
Attack Complexity
LOW
Privileges Required
NONE
User Interaction
NONE
Scope
UNCHANGED
Confidentiality Impact
HIGH
Integrity Impact
HIGH
Availability Impact
HIGH
CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H
0.478 Medium
EPSS
Percentile
97.5%